CVE-2024-10973

MEDIUM

Org.keycloak Keycloak-quarkus-server < 26.0.6 - Cleartext Transmission

Title source: rule

Description

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

References (2)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2024-10973

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2324361

Scores

CVSS v3 5.7

EPSS 0.0002

EPSS Percentile 6.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (4)

org.keycloak/keycloak-quarkus-server 25.0.0 - 26.0.6Maven

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack

Published Dec 17, 2024

Tracked Since Feb 18, 2026